GPG support in Mahogany
Thu Dec 12 21:10:02 2002
On Thursday 12 Dec 2002 at 18:21 Dick Gevers wrote
>On Thursday, 12 December 2002 at 7:10 h, Tenui wrote
>about "Re: GPG support in Mahogany":
>>Sorry, Dick, I must in turn disagree with you. It is
>>not the privacy of the recipient that is encroached upon, but rather
>>his/her personal liberty.
>In my view these are almost synonymous, at least in this case.
>Anyway I agree on that point.
>>For the sender, though, it is a question
>>of privacy, and maybe more (life, liberty, property, etc may well be
>True, but he entrusts the contents of the message to the recipient,
>otherwise he should not have sent the (encrypted) message to him.
>So he also trusts the receiver to not repeat the contents by any
>means from the tempest viewer (no matter how, e.g. by retyping
>word for word). So he can only *ask* the recipient to uphold the
>utmost security when viewing his e-mail. However IMHO he
>should not *force* the recipient under all circumstances
>(including those of the highest possible security) to view them
>by means of one viewer or another.
>It is naturally the responsibility of the recipient to observe the
>highest possible security without infringing on that of the sender,
>but the sender must trust the receiver to be the judge of his own
>threat model, not the sender. If there is no such trust the sender
>should not relay the sensitive data to the receiver at all.
>Therefor, IMO, Mahogany should not *force* the recipient to use any
>kind of tempest viewer. It may be turned on by default but I as
>recipient must be able to turn it off if I judge that my
>circumstances permit that - without breaking the trust the sender
>placed in me.
>You may, of course, disagree with me, but in that case I will not
>use your application if it *forces* me to view the content of an
>encrypted message in a manner that I prefer not to use. On the
>other hand, as I said before, if you are in a position to *order*
>me to do so then I can only observe the instruction. But that will
>apply only if there is an agreed relation e.g. employer/employed,
>>Agreed, some users may use "for your eyes only" messages lightly,
>>but if I send such a message it is because I have a good reason for
>>doing so, and I must assume a priori that any sender also has a good
>Okay, in such cases I would say turn the tempest viewer on by
>default, but in a secure setting the receiver should have the
>liberty/privacy/right to turn it off. That does not relieve him of
>the need to not break the privacy, liberty or security of the
>sender. But that should remain in the hands of the recipient. If
>the sender does not trust the receiver to that extent, then don't
>send the message.
>I trust this clarifies my view and I hope that you can to any
>extent agree with what I am saying.
OK. I can understand your point of view and I think it may well be that of
But I suspect that our difference of opinion is based on different
experience of the need
for confidentiality. It is no longer the case, but during a certain period
my life depended on
the confidentiality of the information I transmitted. And when it comes to
my life I don't
But on a more general level, we are talking here in reality about tempest
attacks. No matter
how much I trust my correspondent, I have no idea if he may be the target
for such intrusion.
So I would be happier to accept the sender's' wishes and, in cases that
tell them that I preferred that they did not use this form of message
unless it was absolutely
PGP key: http://www.tenui.tk/keys/0x4E19C1FF.asc
3A6F F173 43E5 6DC4 48BA FF96 0FB9 7EF0 4E19 C1FF